Overview

overview

10

Static

static

51c54ed3a0...f1.exe

windows7-x64

10

51c54ed3a0...f1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • resource tags

    arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2022 15:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51c54ed3a0a1fd2576cecf974d189043f42355c1c97ba761d88a0885e732f4f1.exe

  • Size

    268KB

  • MD5

    191e32c98a540b72ebddf3dfbb3436a4

  • SHA1

    f812053fbb4dd3bb776b70b88a3bc494de7f9177

  • SHA256

    51c54ed3a0a1fd2576cecf974d189043f42355c1c97ba761d88a0885e732f4f1

  • SHA512

    971c569e0389d9bd356200e3b1a9c8a644d5c09998108b9decf188c67143406850e58f64ba89c5be2fb307754050e997176352ebbd44ee51e81493075363f7fb

Score
10/10
gootkit2410bankerbotnettrojan

Malware Config

Extracted

Family

gootkit

Botnet

2410

C2

clean.eco2plastic.com

ecos.eco2environmental.biz

trkajtools.com

quoteszones.com

mobileinstore.co.uk
Attributes
  • vendor_id

    2410

Signatures

  • Gootkit

    Gootkit is a banking trojan, where large parts are written in node.JS.

    trojanbankerbotnetgootkit
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\51c54ed3a0a1fd2576cecf974d189043f42355c1c97ba761d88a0885e732f4f1.exe
    "C:\Users\Admin\AppData\Local\Temp\51c54ed3a0a1fd2576cecf974d189043f42355c1c97ba761d88a0885e732f4f1.exe"
    1⤵
    • Checks BIOS information in registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\SysWOW64\mstsc.exe
      C:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\51c54ed3a0a1fd2576cecf974d189043f42355c1c97ba761d88a0885e732f4f1.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7104051.bat" "C:\Users\Admin\AppData\Local\Temp\51c54ed3a0a1fd2576cecf974d189043f42355c1c97ba761d88a0885e732f4f1.exe""
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\SysWOW64\attrib.exe
          attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\51c54ed3a0a1fd2576cecf974d189043f42355c1c97ba761d88a0885e732f4f1.exe"
          4⤵
          • Views/modifies file attributes
          PID:1684

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7104051.bat
    Filesize

    72B

    MD5

    582bb6b38598bcd1ffa656307168854c

    SHA1

    5271c444472914810b49e92ada9a5b50cf40b670

    SHA256

    43568d81a40e8ba7eb5d1dd92186609d47268a3c44a193afb0f099f9c60320ad

    SHA512

    3e3199b9b6014a47a573558cdfe6b24c600d0d4e32c91ff7ae44761d92e38b1d398aa6c9776e47d6fe94a5d0b29821c817c7bfb4cef3c6925ab399d3d3085446

    Download Submit

  • memory/1380-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1380-59-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1684-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1688-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1864-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1864-56-0x0000000000400000-0x0000000000443000-memory.dmp

    Filesize

    268KB

    Download